=============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
============================================================
Volume 2.01 January 18, 1995
------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, DC
info@epic.org
=======================================================================
Table of Contents
=======================================================================
[1] Nader Speaks to Privacy Advocates
[2] European Privacy Directive Moves Forward
[3] EPIC Calls for Congressional FOIA
[4] New DOJ Guidelines on Computer Search and Seizure
[5] Court Dismisses LaMacchia Case
[6] IRS Initiates New Database System
[7] EPIC WWW Page and Digicash Donations
[8] Upcoming Conferences and Events
=======================================================================
[1] Nader Speaks to Privacy Advocates
=======================================================================
Consumer advocate Ralph Nader urged privacy activists and academics to
put a "hard edge on the privacy movement" at a meeting sponsored by
the Electronic Privacy Information Center and the Privacy Journal in
Washington, DC in mid-January. The conference brought together more
than thirty leading privacy experts and advocates from across the
country. The group discussed prospects for privacy reform in the new
Congress and efforts to support local and international privacy
initiatives.
Mr. Nader, who thirty years ago won a landmark privacy case against
General Motors, said it was time to "name names" and present the
"rogues gallery" of privacy violators. He noted that greatest privacy
invaders are "super private." "They know everything about you, and you
have no idea who they are."
Mr. Nader said that privacy advocates need to hold government and
corporate privacy violators accountable. "Invasions of privacy are a
system of control that must be challenged," said Mr. Nader.
The group also heard from Hill staffpeople, members of the
Administration and other about prospects for privacy reform. Among
the issues discussed were medical record privacy, privacy protection
for the information infrastructure, Intelligent Transportation
Systems, and consumer privacy.
The group agreed to take specific action to oppose the $500 million
appropriation for the FBI wiretap bill, to support efforts to improve
medical record privacy, and to work together on privacy efforts around
the country.
=======================================================================
[2] European Privacy Directive Moves Forward
=======================================================================
The Council of Ministers of the European Community have adopted a
common position on the European data protection directive. As a
result, the directive will now go to the European Parliament for a
second reading. The directive is considered to be on a fast track for
adoption.
The directive is significant for European privacy because it will
require changes in existing privacy laws and necessitate the adoption
of privacy safeguards in the remaining European countries that do not
yet have legislation.
According to Professor Joel Reidenberg of Fordham Law School, "The
common position takes a stronger position on data protection than
existing national laws. There are also important implications for the
United States. The directive will result in greater scrutiny of
countries without a data protection commission and without adequate
legislative protections."
=======================================================================
[3] EPIC Calls for Congressional FOIA
=======================================================================
The Electronic Privacy Information Center (EPIC) on January 11 wrote
to Speaker of the House Newt Gingrich asking him to include the
Freedom of Information Act (FOIA) in the Congressional Accountability
Act, legislation that will make several statutes applicable to
Congress itself.
EPIC congratulated Speaker Gingrich on the introduction of the THOMAS
on-line information system but expressed surprise at the omission of
the FOIA from the list of statutes that will now be applied to
Congress. The letter stated "While the initiation of THOMAS will
contribute significantly to the public's understanding of
Congressional activities, we believe that an equally important
innovation would be to bring Congressional records within the coverage
of the Freedom of Information Act (FOIA)
EPIC Director Marc Rotenberg noted: "FOIA is essential to ensure that
government is truly accountable. The FOIA encourages informed debate
on national issues and effective participation in the political
process."
The Freedom of Information Act allows ordinary citizens and the media
to request specific documents from federal agencies to oversee the
workings of government. Agencies must release the information unless
it falls within a few narrow exceptions. EPIC has used the FOIA to
obtain critical documents on the Clipper Chip, the Digital Telephony
proposal and other documents relevant to electronic privacy issues.
A copy of EPIC's letter to Rep. Gingrich is available at cpsr.org
/cpsr/privacy/epic/epic_gingrich_foia.txt
=======================================================================
[4] New DOJ Guidelines on Computer Search and Seizure Guidelines
=======================================================================
The Electronic Privacy Information Center (EPIC) has obtained the
Department of Justice's recently issued "Federal Guidelines for
Searching and Seizing Computers." The guidelines provide an overview
of the law surrounding searches, seizures and uses of computer systems
and electronic information in criminal and civil cases. They discuss
current law and suggest how it may apply to situations involving
computers. The guidelines were developed by the Justice Department's
Computer Crime Division and an informal group of federal agencies
known as the Computer Search and Seizure Working Group.
Areas covered include encryption (where the guidelines suggest that
the government must provide limited immunity before requiring a
suspect to disclose a key), the Privacy Protection Act of 1980 (which
the guidelines suggest that all investigators review before seizing a
BBS) and the use of experts during searches and seizures. The
guidelines also review standards for using electronic evidence in
court and the Electronic Communications Privacy Act of 1986.
A more comprehensive analysis is available from EPIC at cpsr.org
/cpsr/privacy/epic/guidelines_analysis.txt. EPIC, with the
cooperation of the Bureau of National Affairs, is making the
guidelines available electronically. The document is available via
FTP/Gopher/WAIS/listserv from the EPIC online archive at cpsr.org
/cpsr/privacy/epic/fed_computer_siezure_guidelines.txt. A printed
version appears in the Bureau of National Affairs publication,
Criminal Law Reporter, Vol. 56, No. 12 (December 21 1994).
=======================================================================
[5] Court Dismisses LaMacchia Case
=======================================================================
On December 28, 1994, the U.S. District Court for the District of
Massachusetts dismissed the case against MIT Student David LaMacchia
for illegally distributing copyrighted software over the Internet. The
court found that there was no criminal act punishable under the
general wire fraud statues because Congress has declined to extend the
criminal penalties to the free distribution of copyrighted software.
The case was brought under the wire fraud statute because Congress has
limited the criminal penalties under Copyright Act to acts which are
"willful and for purpose of commercial advantage or private financial
gain." 17 U.S.C. Sec. 506(a). The court rejected the prosecutors'
arguments that the wire fraud act should apply, ruling that in the
area of copyrights, Congress has declined to enact criminal penalties
for the acts such as those of LaMacchia:
What the government is seeking to do is to punish
conduct that reasonable people might agree deserves
the sanctions of the criminal law. But as Justice
Blackmun observed in Dowling, copyright is an area
in which Congress has chosen to tread cautiously,
relying "chiefly . . . on an array of civil remedies
to provide copyright holders protection against
infringement," while mandating "studiously graded
penalties" in those instances where Congress has
concluded that the deterrent effect of criminal
sanctions are required.
The court worried that extending the general provisions would have
untold effects on computer users everywhere:
While the government's objective is a laudable one,
particularly when the facts alleged in this case are
considered, its interpretation of the wire fraud
statute would serve to criminalize the conduct of
not only persons like LaMacchia, but also the myriad
of home computer users who succumb to the temptation
to copy even a single software program for private
use. It is not clear that making criminals of a
large number of consumers of computer software is a
result that even the software industry would
consider desirable.
Finally, the judge suggests that the law should be changed to
criminalize these activities:
This is not, of course, to suggest that there is
anything edifying about what LaMacchia is alleged to
have done. If the indictment is to be believed, one
might at best describe his actions as heedlessly
irresponsible. and at worst as nihilistic, self-indulgent,
and lacking in any fundamental sense of values. Criminal
as well as civil penalties should probably attach to
willful, multiple infringements of copyrighted software
even absent a commercial motive on the part of the infringer.
One can envision ways that the copyright law could be
modified to permit such prosecution. But, "'[i]t is the
legislature, not the Court which is to define a crime,
and ordain its punishment.
EPIC will be monitoring any attempts to modify the copyright law. A
copy of the opinion is available from cpsr.org /cpsr/computer_crime/
us_v_lamacchia_decision.txt
=======================================================================
[6] IRS Initiates Massive New Database
=======================================================================
On December 20, the Internal Revenue Service announced in the Federal
Register that it was planning a new database to monitor compliance of
taxpayers in a project entitled Compliance 2000. The database would
contain information on all individuals in the U.S. who conduct certain
financial transactions and would be segmented by different criteria:
Any individual who has business and/or financial
activities. These may be grouped by industry, occupation,
or financial transactions, included in commercial
databases, or in information provided by state and local
licensing agencies.
The new database will combine private and public sector databases in a
single searchable entity. A number of federal financial databases
from the IRS will be enhanced with state, local and commercial
sources. The Federal Register notice describes the non-tax databases:
Examples of other information would include data
from commercial databases, any state's Department
of Motor Vehicles (DMV), credit bureaus, state and
local real estate records, commercial publications,
newspapers, airplane and pilot information, U.S.
Coast Guard vessel registration information, any
state's Department of Natural Resources
information, as well as other state and local
records. In addition, Federal government databases
may also be accessed, such as, federal employment
files, federal licensing data, etc.
Finally, even though the proposed system would use frequently
inaccurate "commercial databases" such as direct marketing records,
taxpayers would not be able to review their records to ensure that
they are accurate and up to date: "This system is exempt from the
access and contest provisions of the Privacy Act."
EPIC is filing comments asking the IRS to reconsider its use of
commercial databases and to ensure that there are greater safeguards
on the collection and use of personal information.
A copy of the Federal Register notice is available at cpsr.org
/cpsr/privacy/epic/IRS_compliance_2000_notice_txt
Comments on the proposed system must be received by January 19, 1995,
and sent to Office of Disclosure, Internal Revenue Service, 1111 Conn.
Ave, NW, Washington, DC 20224. EPIC's Comments are available at
cpsr.org /cpsr/privacy/epic/epic_irs_compliance_2000_comments.txt
=======================================================================
[7] EPIC WWW Page and Digicash Donations
=======================================================================
EPIC has set up a temporary World Wide Web page to enhance
individuals' access to its materials on privacy. The Web page
includes information such as the EPIC program and FAQ, material
on current issues of interest (including Clipper and the Digital
Telephony proposal) and HTML access to the current EPIC Alert. EPIC
will be announcing a permanent EPIC WWW, Gopher and FTP site in the
near future.
The Web page is set up in conjunction with Digicash, a Netherlands-
based company that specializes in cryptography and anonymous
transactions. The address is http://epic.digicash.com/epic
Individuals who are participating in testing Digicash's anonymous
online cash system can contribute to EPIC's work in support of civil
liberties. Digicash, after the testing period, will be announcing a
formal system of convertible money so individuals will be able to
donate actual money to EPIC. More information on the system is
available from http://www.digicash.nl.
=======================================================================
[8] Upcoming Privacy Related Conferences and Events
=======================================================================
Privacy, The Information Infrastructure and Healthcare Reform. Ohio
State University, Columbus, OH, Jan. 27. Contact:
vberdaye@magnus.acs.ohio-state.edu.
Cryptography: Technology, Law and Economics. New York City. Mar. 3,
1995. Sponsored by CITI, Columbia University. Contact:
citi@research.gsb.columbia.edu
Towards an Electronic Patient Record '95. Orlando, FL. Mar. 14-19,
1995. Sponsored by Medical Records Institute. Contact: 617-964-3926
(fax).
Access, Privacy, and Commercialism: When States Gather Personal
Information. College of William and Mary, Williamsburg, VA, March 17.
Contact: Trotter Hardy 804 221-3826.
Computers, Freedom and Privacy '95. Palo Alto, Ca. Mar. 28-31, 1995.
Sponsored by ACM. Contact: cfp95@forsythe.stanford.edu.
ETHICOMP95: An international conference on the ethical issues of
using Information Technology. DeMontfort University, Leicester,
ENGLAND, March 28-30, 1995. Contact: Simon Rogerson srog@dmu.ac.uk 44
533 577475 (phone) 44 533 541891 (Fax).
National Net '95: Reaching Everyone. Washington, DC. Apr. 5-7, 1995.
Sponsored by EDUCOM. Contact: net95@educom.edu or call 202/872-4200.
Information Security and Privacy in the Public Sector. Herdon, VA.
Apr. 19-20, 1995. Sponsored by AIC Conferences. Contact: 212/952-1899.
1995 IEEE Symposium on Security and Privacy. Oakland, CA, May 8-10.
Contact: sp95@itd.nrl.navy.mil.
INET '95. Honolulu, HI. June 28-30, 1995. Sponsored by the Internet
Society. Contact inet95@isoc.org.
Key Players in the Introduction of Information Technology: Their
Social Responsibility and Professional Training. July 5-6-7, 1995.
Namur, Belgium. Sponsored by CREIS. Contact: nolod@ccr.jussieu.fr.
Advanced Surveillance Technologies. Sept. 5, 1995. Copenhagen, Denmark.
Sponsored by Privacy International and EPIC. Contact pi@epic.org.
(Send calendar submissions to Alert@epic.org)
=======================================================================
The EPIC Alert is a free biweekly publication of the Electronic
Privacy Information Center. To subscribe, send the message:
SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname
to listserv@cpsr.org. You may also receive the Alert by reading the
USENET newsgroup comp.org.cpsr.announce.
Back issues are available via FTP/WAIS/Gopher/HTTP from cpsr.org
/cpsr/alert and on Compuserve (Go NCSA), Library 2 (EPIC/Ethics). An
HTML version of the current issue is available from epic.digicash.com/epic
=======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues relating to the
National Information Infrastructure, such as the Clipper Chip, the
Digital Telephony proposal, medical record privacy, and the sale of
consumer data. EPIC is sponsored by the Fund for Constitutional
Government and Computer Professionals for Social Responsibility. EPIC
publishes the EPIC Alert and EPIC Reports, pursues Freedom of
Information Act litigation, and conducts policy research on emerging
privacy issues. For more information, email info@epic.org, WWW at
HTTP://epic.digicash.com /epic or write EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington, DC 20003. (202) 544-9240 (tel), (202)
547-5482 (fax).
The Fund for Constitutional Government is a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights. Computer Professionals for Social Responsibility is a
national membership organization of people concerned about the impact
of technology on society. For information contact: cpsr-info@cpsr.org
If you'd like to support the work of the Electronic Privacy
Information Center, contributions are welcome and fully
tax-deductible. Checks should be made out to "The Fund for
Constitutional Government" and sent to EPIC, 666 Pennsylvania Ave.,
SE, Suite 301, Washington DC 20003.
Your contributions will help support Freedom of Information Act
litigation, strong and effective advocacy for the right of privacy and
efforts to oppose Clipper and Digital Telephony wiretapping proposals.
------------------------ END EPIC Alert 2.01 ------------------------